Skip to main content

PHP

24729 CVEs product

Monthly

CVE-2025-15445 MEDIUM POC This Month

Restaurant Cafeteria WordPress theme through version 0.4.6 allows authenticated subscribers to execute arbitrary PHP code and modify site configuration through unprotected admin-ajax actions lacking nonce and capability checks. An attacker with subscriber-level access can install malicious plugins from attacker-controlled URLs or import demo content that overwrites critical site settings, pages, menus, and theme configuration. Publicly available exploit code exists for this vulnerability.

WordPress PHP RCE Authentication Bypass
NVD WPScan VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33991 HIGH PATCH This Week

SQL injection in WeGIA charitable institution management software allows authenticated remote attackers to execute arbitrary database queries with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe use of extract($_REQUEST) combined with unsanitized SQL concatenation in the tag deletion module (deletar_tag.php), affecting all versions prior to 3.6.7. No public exploit identified at time of analysis, with EPSS probability data not available for this recent CVE.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4973 LOW Monitor

Stored cross-site scripting (XSS) in SourceCodester Online Quiz System up to version 1.0 allows authenticated remote attackers to inject malicious scripts via the quiz_question parameter in endpoint/add-question.php, affecting users who view the injected quiz content. The vulnerability has CVSS 5.1 (low-to-moderate severity), requires user interaction to trigger, and public exploit code is available. An attacker with quiz management privileges can compromise quiz participants through JavaScript execution in their browsers.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-33765 HIGH PATCH This Week

Remote code execution with root privileges in Pi-hole Admin Interface versions prior to 6.0 allows unauthenticated attackers to execute arbitrary system commands. The vulnerability stems from unsanitized user input in the 'webtheme' parameter being concatenated directly into sudo-privileged exec() calls in savesettings.php. With CVSS 8.9 (Critical), network-accessible attack vector, and low complexity, this represents a severe compromise risk for Pi-hole deployments exposed to untrusted networks. Proof-of-concept code exists (CVSS E:P metric indicates exploitation proof available).

PHP Command Injection
NVD GitHub
CVSS 4.0
8.9
EPSS
0.6%
CVE-2026-4972 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Online Reviewer System up to version 1.0 allows authenticated users with high privileges to inject malicious scripts via the Description parameter in /system/system/students/assessments/databank/btn_functions.php, which are then executed in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and has publicly available exploit code, but poses minimal real-world risk given the high privilege requirement (PR:H) and low impact severity (CVSS 2.4).

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4970 LOW POC Monitor

SQL injection in code-projects Social Networking Site 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in delete_photos.php, potentially enabling unauthorized data access, modification, or deletion. The vulnerability affects an unknown function in the Endpoint component and has publicly available exploit code, increasing the likelihood of active abuse despite the moderate CVSS 5.3 score.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4969 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Social Networking Site 1.0 allows authenticated remote attackers to inject malicious scripts via the content parameter in the Alert Handler component (/home.php), requiring user interaction to trigger. The vulnerability carries a CVSS score of 5.1 (medium) with publicly available exploit code, though no confirmed active exploitation in the wild has been reported. Affected users can have their sessions hijacked or credentials stolen if they interact with malicious alerts crafted by authenticated attackers.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-34375 PHP HIGH GHSA This Week

Reflected cross-site scripting (XSS) in WWBN AVideo versions up to 26.0 enables credential theft through unsanitized request parameter echoed into JavaScript context. Attackers can craft malicious URLs that, when clicked by authenticated users, execute arbitrary JavaScript and exfiltrate the victim's username and password hash directly exposed in the vulnerable code block. CVSS score of 8.2 reflects high confidentiality impact; no public exploit identified at time of analysis.

XSS PHP
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-34368 PHP MEDIUM GHSA This Month

WWBN AVideo up to version 26.0 allows authenticated attackers to conduct concurrent balance transfers that exploit a Time-of-Check-Time-of-Use (TOCTOU) race condition in the wallet module, enabling arbitrary financial value multiplication without database transaction protection. An attacker with multiple authenticated sessions can trigger parallel transfer requests that each read the same wallet balance, all pass the sufficiency check independently, but result in only a single deduction while the recipient receives multiple credits. The vulnerability requires local authentication and moderate attacker effort (AC:H) but carries high integrity impact; no public exploit code or active exploitation has been identified at the time of analysis.

PHP Race Condition Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-34364 PHP MEDIUM GHSA This Month

WWBN AVideo versions up to 26.0 expose all non-private video categories to unauthenticated remote attackers due to missing access control enforcement in the categories.json.php endpoint. The vulnerability combines two distinct flaws: complete bypass of group-based filtering when no user parameter is supplied, and a type confusion bug that substitutes the admin user's group memberships when a user parameter is present, allowing unauthorized disclosure of category metadata intended for restricted user groups. CVSS 5.3 reflects the information disclosure impact with no authentication required and low attack complexity; no public exploit code or active exploitation has been confirmed at time of analysis.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-30568 MEDIUM POC This Month

Reflected cross-site scripting (XSS) in SourceCodester Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'limit' parameter in the view_purchase.php file. The vulnerability affects unauthenticated users who click a malicious link, enabling session hijacking, credential theft, or malware distribution. Publicly available exploit code exists, elevating practical exploitation risk despite the absence of CVSS scoring data.

PHP XSS
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-30567 MEDIUM POC This Month

Reflected XSS in SourceCodester Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript via the unvalidated 'limit' parameter in view_product.php. The vulnerability affects the web application without authentication requirements, and publicly available exploit code has been disclosed. While CVSS scoring data is unavailable, the combination of reflected XSS execution context, public POC availability, and lack of input sanitization indicates meaningful risk to deployments of this legacy system.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-34036 PHP MEDIUM PATCH This Month

Dolibarr Core versions up to 22.0.4 allow authenticated users with minimal privileges to read arbitrary non-PHP files from the server via a Local File Inclusion vulnerability in /core/ajax/selectobject.php. The flaw stems from dynamic file inclusion occurring before authorization checks and a fail-open logic in the access control function, enabling exfiltration of sensitive configuration files, environment variables, and logs. Publicly available exploit code exists, and a vendor patch has been released.

PHP LFI Information Disclosure CSRF Python
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-33994 npm MEDIUM PATCH This Month

Prototype pollution in locutus npm package version 2.0.39 through 3.0.24 allows remote attackers to bypass `Object.prototype` pollution guards via a crafted query string passed to the `parse_str` function, enabling authentication bypass, denial of service, or remote code execution in chained attack scenarios where `RegExp.prototype.test` has been previously compromised. Publicly available exploit code exists demonstrating the vulnerability; vendor-released patch available in version 3.0.25.

PHP Denial Of Service Node.js Prototype Pollution Authentication Bypass +2
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-33993 npm MEDIUM PATCH This Month

Prototype pollution in the locutus npm package's unserialize() function allows remote attackers to inject arbitrary properties into deserialized objects by crafting malicious PHP-serialized payloads containing __proto__ keys, enabling authorization bypass, property propagation attacks, and denial of service via method override. The vulnerability affects locutus versions prior to 3.0.25; publicly available exploit code exists demonstrating property injection, for-in propagation to real own properties, and built-in method disruption.

PHP Node.js Prototype Pollution Deserialization Denial Of Service +1
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-4968 LOW POC Monitor

Cross-site request forgery (CSRF) in SourceCodester Diary App 1.0 allows unauthenticated remote attackers to manipulate an unknown function within diary.php, potentially leading to unauthorized state-changing actions. The vulnerability has a moderate CVSS score of 5.3 with user interaction required, and publicly available exploit code exists, though active exploitation status is unconfirmed. An attacker could craft malicious web pages to trick users into performing unwanted actions within the application.

CSRF PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4966 LOW POC Monitor

SQL injection in itsourcecode Free Hotel Reservation System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/mod_room/index.php?view=edit, leading to unauthorized database query execution. The vulnerability requires valid admin credentials (CVSS PR:L) but has publicly available exploit code and represents a moderate information disclosure and integrity risk (CVSS 5.3 with limited confidentiality, integrity, and availability impact). Active exploitation status is not confirmed via CISA KEV, but proof-of-concept code is documented in public repositories.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-34362 PHP MEDIUM GHSA This Month

WebSocket token validation bypass in WWBN AVideo versions up to 26.0 allows authenticated attackers to retain permanent real-time access to sensitive connection metadata after account revocation. The verifyTokenSocket() function fails to enforce token expiration despite generating 12-hour timeouts, enabling captured tokens to grant indefinite access to admin-level data including IP addresses, browser fingerprints, and user page locations. Authenticated users (PR:L per CVSS vector) can exploit this to maintain surveillance capabilities even after account deletion or privilege demotion. No public exploit identified at time of analysis.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34247 PHP MEDIUM GHSA This Month

WWBN AVideo versions up to 26.0 allow authenticated users to arbitrarily overwrite poster images for any scheduled live stream due to missing authorization checks in the uploadPoster.php endpoint, combined with subsequent broadcast of sensitive broadcast keys and user IDs to all connected WebSocket clients. An authenticated attacker can exploit this vulnerability without user interaction to deface another user's scheduled broadcasts and potentially harvest credential material for further attacks. No public exploit identified at time of analysis, though the vulnerability has been disclosed via GitHub security advisory with a published fix commit available.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34245 PHP MEDIUM GHSA This Month

Broadcast schedule modification in WWBN AVideo versions up to 26.0 allows authenticated users with streaming permissions to hijack playlists and disrupt streams by creating or modifying schedules targeting any playlist regardless of ownership, with rebroadcasts executing under the victim's identity. The vulnerability affects the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint and stems from insufficient authorization checks. Upstream fix available via commit 1e6dc20172de986f60641eb4fdb4090f079ffdce; no public exploit identified at time of analysis.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-30530 CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to execute arbitrary SQL commands through unsanitized input in the save_customer action's username parameter. The application fails to implement proper input validation or prepared statements, enabling attackers to manipulate database queries directly. Publicly available exploit code exists, and this vulnerability affects the PHP-based web application with no confirmed patch status at time of analysis.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30529 HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows authenticated attackers to execute arbitrary SQL commands via the username parameter in Actions.php (save_user action), due to improper input sanitization. Publicly available exploit code exists demonstrating this vulnerability. While CVSS and EPSS scores are unavailable, the authenticated requirement and public POC availability indicate moderate real-world risk for deployments with user account access.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5010 MEDIUM PATCH This Month

Clickedu contains a reflected XSS vulnerability in the /user.php/ endpoint that permits remote attackers to execute arbitrary JavaScript in a victim's browser via malicious URL parameters, enabling session hijacking, credential theft, and unauthorized actions. The vulnerability affects all versions of Sanoma's Clickedu product (per CPE cpe:2.3:a:sanoma:clickedu:*:*:*:*:*:*:*:*) and a vendor patch is available. No CVSS score or active exploitation data was provided; however, the reflected XSS attack vector combined with educational platform context indicates moderate to high real-world risk given typical user trust in institutional URLs.

PHP XSS
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-4909 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Exam Form Submission 1.0 allows authenticated remote attackers to inject malicious scripts via the sname parameter in /admin/update_s7.php, potentially compromising administrator sessions and enabling unauthorized actions. Publicly available exploit code exists for this vulnerability, though it requires high-privilege authentication to trigger. The CVSS 2.4 score reflects limited impact (information integrity only) and the requirement for authenticated access and user interaction, but the public availability of working exploit code elevates practical risk.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4908 MEDIUM POC This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the userid parameter in /modstaffinfo.php. Publicly available exploit code exists on GitHub, significantly lowering the barrier to exploitation. The CVSS score of 7.3 reflects network accessibility without authentication requirements (PR:N), though impact is rated as Low across confidentiality, integrity, and availability.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-33730 MEDIUM PATCH This Month

OpenSourcePOS versions prior to 3.4.2 contain an Insecure Direct Object Reference (IDOR) vulnerability allowing authenticated low-privileged users to modify password change settings for arbitrary users, including administrators, by manipulating the employee_id parameter without authorization checks. The vulnerability affects the web-based PHP/CodeIgniter point-of-sale application and enables account takeover of higher-privileged accounts. No public exploit code has been identified at the time of analysis, though the fix involves adding object-level authorization validation to the affected endpoint.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30574 HIGH POC This Week

SourceCodester Pharmacy Product Management System 1.0 fails to enforce inventory constraints in the add-sales.php module, allowing attackers to create sales transactions for quantities that exceed available stock levels. This business logic flaw enables overselling scenarios where the system processes orders without validating stock availability, potentially leading to negative inventory records and operational disruption. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS scoring or active exploitation via CISA KEV has been confirmed.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30531 HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows authenticated attackers to inject arbitrary SQL commands through the unvalidated 'name' parameter in the save_category action of Actions.php. The vulnerability affects the application's category management functionality and enables data exfiltration, modification, or deletion. Publicly available exploit code exists demonstrating the vulnerability, increasing practical exploitation risk despite authentication requirement.

SQLi PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-30534 HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to manipulate database queries through the 'id' parameter in admin/manage_category.php, enabling unauthorized data extraction, modification, or deletion. The vulnerability affects the administrative interface and has publicly available exploit code, presenting immediate risk to deployed instances of this e-commerce platform.

PHP SQLi
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-30533 CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the 'id' parameter in admin/manage_product.php, enabling unauthorized database access and data exfiltration. Publicly available exploit code exists for this vulnerability; however, no CVSS score, EPSS data, or CISA KEV confirmation is available to assess active exploitation at scale.

SQLi PHP
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30532 CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to execute arbitrary SQL queries through the 'id' parameter in admin/view_product.php, enabling unauthorized database access and potential data exfiltration. The vulnerability affects the administrative interface and publicly available exploit code exists, increasing real-world exploitation risk despite the absence of formal CVSS scoring.

SQLi PHP
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30637 HIGH This Week

OTCMS versions 7.66 and earlier contain an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /admin/read.php endpoint's AnnounContent parameter, enabling remote attackers to craft arbitrary HTTP requests targeting internal services or external systems without requiring credentials. The vulnerability is documented in public security research; however, no CVSS score, EPSS probability, or confirmed active exploitation status is available from CISA KEV data at this time.

SSRF PHP
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-30575 HIGH POC This Week

Inventory depletion in SourceCodester Pharmacy Product Management System 1.0 allows remote attackers to corrupt stock records by submitting negative values through the add-stock.php 'txtqty' parameter, causing the system to decrease inventory instead of increasing it and enabling denial of service via stock exhaustion. Publicly available exploit code exists demonstrating this business logic flaw, and the affected product lacks CVSS severity quantification despite the demonstrated impact on system integrity and availability.

PHP Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30571 MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting vulnerability in the view_category.php file where the 'limit' parameter is not sanitized, enabling remote attackers to inject arbitrary JavaScript or HTML through a crafted URL. Publicly available exploit code exists for this vulnerability, affecting the PHP-based Inventory System application. Remote attackers can execute client-side scripts in the context of authenticated user sessions without requiring elevated privileges.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30570 MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting (XSS) vulnerability in the view_sales.php file's 'limit' parameter that allows remote attackers to inject arbitrary JavaScript or HTML through a crafted URL. The vulnerability stems from insufficient input sanitization and publicly available exploit code has been disclosed. Authentication requirements are not confirmed from available CVSS data.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30569 MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting (XSS) vulnerability in the view_stock_availability.php file's 'limit' parameter that permits remote attackers to inject arbitrary HTML and JavaScript through a crafted URL. Publicly available exploit code has been disclosed via GitHub, enabling attackers without authentication to execute malicious scripts in the context of victim browsers. The vulnerability affects an unspecified version range of the Inventory System application with no CVSS scoring or patch availability data currently confirmed.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30576 HIGH POC This Week

Pharmacy Product Management System 1.0 fails to validate financial input parameters in the add-stock.php file, permitting attackers to submit negative values for product prices and total costs. This business logic vulnerability corrupts financial records and allows manipulation of inventory asset valuations and procurement cost tracking. Publicly available exploit code exists; however, no CVSS score, EPSS data, or CISA KEV confirmation is available to assess active exploitation frequency.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-4899 LOW POC Monitor

The code-projects Online Food Ordering System versions up to 1.0 contain a stored cross-site scripting (XSS) vulnerability in the /dbfood/food.php file via the cuisines parameter, allowing authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers. The vulnerability carries a CVSS score of 2.4 (low severity) but has publicly available exploit code and confirmed documentation on GitHub, limiting its practical impact due to high privilege requirements and user interaction dependency. Remote exploitation is possible, but the attack requires an authenticated user with high-level administrative privileges and victim user interaction, substantially constraining real-world exploitation likelihood.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4898 LOW POC Monitor

The Online Food Ordering System 1.0 by code-projects contains a reflected cross-site scripting (XSS) vulnerability in the Name parameter of /dbfood/contact.php that allows unauthenticated remote attackers to inject malicious scripts. The vulnerability has a publicly available proof-of-concept and affects all versions of the affected product line. While the CVSS score of 4.3 is moderate, the public availability of exploit code and minimal complexity of attack execution elevate practical risk for instances exposed to the internet.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-33644 LOW PATCH Monitor

DNS rebinding bypasses SSRF protection in Lychee photo-management tool versions prior to 7.5.2, allowing authenticated remote attackers to access restricted internal resources by providing domain names instead of IP addresses to the photo URL import feature. The vulnerability exploits a logic flaw in PhotoUrlRule.php where hostname validation only applies to IP addresses, leaving domain-based requests unvalidated. Vendor-released patch available (version 7.5.2); no public exploit identified at time of analysis.

SSRF PHP
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-33867 PHP CRITICAL PATCH Act Now

AVideo, a popular open-source video platform, stores video access passwords in plaintext within the database, enabling attackers who gain read access through SQL injection, backup exposure, or misconfigured controls to harvest all protected video passwords without cracking. The vulnerability is tracked as CWE-312 (Cleartext Storage of Sensitive Information) and affects AVideo installations using the video password protection feature. A proof-of-concept demonstrating direct database extraction is documented in the GitHub advisory. Vendor patch is available via commit f2d68d2adbf73588ea61be2b781d93120a819e36, and no public exploit identified at time of analysis beyond the documented PoC.

PHP SQLi
NVD GitHub
CVSS 4.0
9.1
EPSS
0.0%
CVE-2026-33770 PHP HIGH PATCH This Week

SQL injection in WWBN AVideo category management allows authenticated administrators to extract database contents including user credentials and private video metadata. The vulnerability resides in objects/category.php where user-supplied category title slugs are concatenated directly into SQL queries without parameterization. A working proof-of-concept demonstrates UNION-based injection to retrieve the users table. Upstream fix available via GitHub commit 994cc2b3d802b819e07e6088338e8bf4e484aae4, though no public exploit identified at time of analysis beyond the documented PoC.

PHP SQLi
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-33767 PHP HIGH PATCH This Week

SQL injection in WWBN AVideo objects/like.php allows authenticated users to read and potentially modify the entire database by injecting malicious payloads into the videos_id parameter during like/dislike actions. The vulnerability affects pkg:composer/wwbn_avideo and arises from mixing parameterized queries with direct string concatenation. A proof-of-concept UNION-based injection exists demonstrating credential extraction. Upstream fix available (PR/commit); released patched version not independently confirmed.

PHP SQLi
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-33766 PHP MEDIUM PATCH This Month

PHP applications using the affected functions fail to re-validate redirect targets during HTTP requests, allowing attackers to bypass SSRF protections by chaining a legitimate public URL with a redirect to internal resources. An attacker can exploit this weakness in endpoints that fetch remote content after initial URL validation, potentially gaining access to private IP ranges and internal services. A patch is available.

SSRF PHP Microsoft
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-33764 PHP MEDIUM This Month

The AVideo AI plugin's save.json.php endpoint fails to validate that AI-generated responses belong to the target video before applying them, allowing authenticated users to exfiltrate private video metadata and full transcriptions by referencing arbitrary AI response IDs. An attacker with canUseAI permission can steal AI-generated titles, descriptions, keywords, summaries, and complete transcription files from other users' private videos through a simple parameter manipulation attack, then apply this stolen content to their own video for reading. No public exploit is confirmed actively exploited, but proof-of-concept methodology is detailed in the advisory, making this a practical attack for any platform user with basic video ownership.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-33763 PHP MEDIUM PATCH This Month

AVideo password verification API endpoint allows unauthenticated attackers to brute-force video access passwords at network speed with no rate limiting, enabling compromise of password-protected video content across the platform. The vulnerable endpoint pkg:composer/wwbn_avideo returns a boolean confirmation for any password guess without authentication, CAPTCHA, or throttling mechanisms, combined with plaintext password storage and loose equality comparison that further weakens defenses. Publicly available exploit code exists demonstrating rapid password enumeration against any video ID.

PHP Information Disclosure Oracle
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33761 PHP MEDIUM PATCH This Month

Unauthenticated information disclosure in AVideo Scheduler plugin exposes internal infrastructure details, admin-composed email campaigns, and user targeting mappings through three unprotected list.json.php endpoints. Remote attackers without authentication can retrieve all scheduled task callbacks with internal URLs and parameters, complete email message bodies, and user-to-email relationships by issuing simple GET requests. A public proof-of-concept exists demonstrating the vulnerability; patch availability has been confirmed by the vendor.

PHP Information Disclosure SSRF
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33759 PHP MEDIUM PATCH This Month

AVideo playlist video enumeration allows unauthenticated attackers to bypass authorization checks and directly access video contents from private playlists including watch_later and favorite lists via the playlistsVideos.json.php endpoint. Sequential playlist IDs enable trivial enumeration of all users' private viewing habits, favorites, and unlisted custom playlists without authentication. A publicly available proof-of-concept exists demonstrating the vulnerability, which affects WWBN AVideo via Composer package wwbn_avideo.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33477 MEDIUM PATCH This Month

FileRise versions 2.3.7 through 3.10.0 suffer from improper access control in the file snippet endpoint, allowing authenticated users with read-only access to retrieve file content uploaded by other users in shared folders. An attacker with limited folder permissions can exploit this authorization bypass to view sensitive files beyond their intended access scope. The vulnerability affects FileRise running on PHP and is resolved in version 3.11.0.

PHP File Upload Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4877 LOW POC Monitor

Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System version 1.0 allows remote unauthenticated attackers to inject malicious scripts via manipulation of the 'page' parameter in /index.php. The vulnerability has a CVSS v4.0 score of 5.3 with network accessibility and low integrity impact; publicly available exploit code exists, and CISA SSVC assessment confirms the flaw is exploitable and partially automatable, making it suitable for active compromise of application integrity and user sessions.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4876 LOW POC Monitor

SQL injection in itsourcecode Free Hotel Reservation System 1.0 via the ID parameter in /admin/mod_amenities/index.php?view=editpic allows authenticated remote attackers to manipulate database queries and extract or modify sensitive data. The vulnerability requires valid administrator credentials to exploit (PR:L per CVSS 4.0 vector), affects confidentiality and integrity of database contents, and carries moderate real-world risk despite a CVSS score of 5.3 due to publicly available exploit code and low attack complexity. No vendor-released patch has been identified; the system appears to be unsupported or abandoned based on available advisory data.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-41027 MEDIUM PATCH This Month

GDTaller allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers through reflected cross-site scripting (XSS) via the 'site' parameter in app_recuperarclave.php. The vulnerability affects all versions of GDTaller (version 0 and beyond) and has been assigned a CVSS 4.0 base score of 5.1 with limited scope impact. A vendor patch is available from INCIBE, and exploitation requires user interaction (UI:A) but presents moderate risk due to the network-accessible attack surface and low technical complexity.

XSS PHP
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-41026 MEDIUM PATCH This Month

GDTaller is vulnerable to reflected cross-site scripting (XSS) in the app_login.php file, specifically through the 'site' parameter, allowing unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious URLs. The vulnerability affects GDTaller versions prior to an unspecified patch release and carries a CVSS 5.1 score reflecting low immediate confidentiality impact but limited scope and user interaction requirement. A vendor patch is available from INCIBE, though no public exploit code has been identified at time of analysis.

XSS PHP
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-4875 LOW POC Monitor

Free Hotel Reservation System 1.0 permits unrestricted file uploads via the image parameter in the /admin/mod_amenities/index.php?view=add endpoint, allowing remote attackers with high privileges to upload arbitrary files. The vulnerability (CWE-434: Unrestricted Upload of File with Dangerous Type) affects the amenities management module and has publicly available exploit code. With a CVSS v4.0 score of 5.1 and network-accessible attack vector requiring high administrative privileges, this poses a moderate risk primarily to authenticated administrators or systems where authentication has been compromised.

File Upload PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2018-25209 HIGH POC This Week

OpenBiz Cubi Lite 3.0.8 contains a SQL injection vulnerability in the login form that allows unauthenticated attackers to manipulate database queries through the username parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2018-25207 HIGH POC This Week

Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2018-25206 HIGH POC This Week

KomSeo Cart 1.3 contains an SQL injection vulnerability that allows attackers to inject SQL commands through the 'my_item_search' parameter in edit.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2018-25203 HIGH POC This Week

Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2018-25195 HIGH POC This Week

Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2026-4809 CRITICAL Act Now

Remote code execution in plank/laravel-mediable PHP package through version 6.4.0 allows unauthenticated attackers to upload executable PHP files disguised with benign MIME types, achieving arbitrary code execution when files land in web-accessible directories. EPSS score of 0.39% (60th percentile) indicates low observed exploitation probability, though SSVC analysis confirms the vulnerability is automatable with total technical impact. No vendor-released patch identified at time of analysis despite coordinated disclosure attempts.

PHP File Upload RCE
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-4850 MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0's /checkregisitem.php parameter handler allows unauthenticated remote attackers to manipulate the Long-arm-shirtVol argument and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available to remediate this issue.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4849 LOW POC Monitor

A reflected cross-site scripting (XSS) vulnerability exists in code-projects Simple Laundry System version 1.0 via the firstName parameter in the /modify.php file. An attacker can inject malicious JavaScript that executes in a victim's browser when they visit a crafted link, potentially leading to session hijacking, credential theft, or malware distribution. A public proof-of-concept is available on GitHub, and exploitation requires only user interaction (clicking a malicious link), making this a practical concern despite the moderate CVSS score of 5.3.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15433 MEDIUM POC PATCH This Month

The Shared Files WordPress plugin before version 1.7.58 contains a path traversal vulnerability that allows attackers with Contributor-level privileges or higher to download arbitrary files from the web server, including sensitive configuration files such as wp-config.php. A public proof-of-concept exploit is available, making this vulnerability actively exploitable in the wild. This represents a critical information disclosure risk affecting WordPress installations using affected versions of the plugin.

WordPress PHP Path Traversal
NVD WPScan
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-4844 MEDIUM POC This Month

SQL injection in the Admin Login Module of code-projects Online Food Ordering System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter in /admin.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations should implement network-level controls or upgrade to a patched version once available.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4842 MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the deptid parameter in the grades index page. Public exploit code is available for this vulnerability, and no patch is currently available. The attack requires only network access with no additional complexity or user interaction.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4841 MEDIUM POC This Month

SQL injection in code-projects Online Food Ordering System 1.0's Shopping Cart Module (cart.php) allows unauthenticated remote attackers to manipulate the del parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected PHP-based installations are at immediate risk of database compromise and data exfiltration.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4839 MEDIUM POC This Month

SQL injection in SourceCodester Food Ordering System 1.0 via the custom parameter in /purchase.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects PHP-based installations of this food ordering platform.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4838 MEDIUM POC This Month

SQL injection in SourceCodester Malawi Online Market 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /display.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability remains unpatched and affects PHP-based deployments of this application.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4335 MEDIUM This Month

The ShortPixel Image Optimizer WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 6.4.3, affecting the getEditorPopup() function and media-popup.php template. Authenticated attackers with Author-level permissions can inject arbitrary JavaScript into attachment post titles via the REST API, which executes when administrators open the ShortPixel AI editor popup for the poisoned attachment. This vulnerability has a CVSS score of 5.4 (moderate severity) and requires user interaction from a higher-privileged administrator to trigger, limiting its immediate exploitation scope but still presenting a meaningful privilege escalation risk in multi-author WordPress environments.

WordPress PHP XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-3328 HIGH This Week

The Frontend Admin by DynamiApps plugin for WordPress contains a PHP Object Injection vulnerability affecting all versions up to and including 3.28.31. Authenticated attackers with Editor-level privileges or higher can exploit unsafe deserialization of the 'post_content' field in admin_form posts to inject malicious PHP objects and achieve remote code execution through available POP chains. This represents a critical risk for WordPress sites using this plugin with elevated user accounts.

WordPress PHP RCE Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-4836 LOW POC Monitor

SQL injection in code-projects Accounting System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the cos_id parameter in /my_account/delete.php. Public exploit code exists for this vulnerability, enabling potential unauthorized database access and manipulation. No patch is currently available.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4835 LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in code-projects Accounting System 1.0 within the customer management interface (/my_account/add_costumer.php), where the costumer_name parameter fails to properly sanitize user input. Attackers with low privileges and user interaction can inject malicious JavaScript that will execute in the browsers of other users viewing the affected page, potentially leading to session hijacking, credential theft, or unauthorized actions within the accounting system. A public proof-of-concept exploit is available, significantly increasing the likelihood of real-world exploitation.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4831 LOW POC Monitor

Improper authentication in the password-protected share handler of Kalcaddle Kodbox 1.64 allows remote attackers to bypass access controls through manipulation of the authentication function, despite high attack complexity. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.

Authentication Bypass PHP
NVD VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-33942 PHP HIGH PATCH This Week

Saloon PHP library versions prior to 4.0.0 contain a PHP object injection vulnerability in the AccessTokenAuthenticator::unserialize() method, which unsafely deserializes OAuth token state using unserialize() with allowed_classes set to true. An attacker who can control the serialized token string-such as by overwriting a cached token file or injecting malicious data-can supply a crafted serialized gadget object that executes arbitrary code through PHP magic methods during deserialization. In environments with common dependencies like Monolog present, this vulnerability can be reliably chained to achieve remote code execution (RCE), making it a critical threat to any API integration or SDK built on vulnerable Saloon versions.

PHP RCE Deserialization
NVD GitHub
CVSS 4.0
8.1
EPSS
0.6%
CVE-2026-4830 LOW POC Monitor

An unrestricted file upload vulnerability exists in Kalcaddle Kodbox 1.64 within the Public Share Handler component's userShare.class.php file. This allows unauthenticated remote attackers to upload arbitrary files by manipulating the Add function, potentially leading to remote code execution and system compromise. A publicly available proof-of-concept exists, and the vendor has not responded to early disclosure attempts, increasing the likelihood of active exploitation.

File Upload PHP
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-34055 HIGH This Week

OpenEMR contains an Insecure Direct Object Reference (IDOR) vulnerability in the patient notes functionality where authenticated users can modify or delete notes belonging to any patient without proper authorization checks. This affects OpenEMR versions prior to 8.0.0.3 and allows attackers with low-level privileges to access, modify, or delete sensitive medical records they should not have access to. The vulnerability has a CVSS score of 8.1 with high confidentiality and integrity impact, though there is no current evidence of active exploitation in the wild or public proof-of-concept code.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-34053 HIGH This Week

OpenEMR versions prior to 8.0.0.3 contain a missing authorization vulnerability in the AJAX deletion endpoint that allows any authenticated user, regardless of assigned role or privileges, to irreversibly delete critical medical data including procedure orders, answers, and specimens for any patient in the system. This is a severe integrity violation in a healthcare application handling protected health information. No evidence of active exploitation (not in CISA KEV) is currently available, though patches have been released.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-33934 MEDIUM This Month

OpenEMR contains a missing authorization check in the signature retrieval endpoint (portal/sign/lib/show-signature.php) that allows any authenticated patient portal user to access the drawn signature images of arbitrary staff members by manipulating the POST parameter. Versions prior to 8.0.0.3 are affected, and while the companion write endpoint was previously hardened against this issue, the read endpoint was left vulnerable. This is a low-severity information disclosure vulnerability (CVSS 4.3) with limited real-world exploitability due to the requirement for prior authentication and the relatively low sensitivity of signature images compared to full medical records.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-29905 PHP MEDIUM PATCH GHSA This Month

Kirby CMS versions through 5.1.4 allow authenticated editors to trigger a persistent denial of service by uploading malformed images that bypass getimagesize() validation, causing fatal TypeErrors during metadata or thumbnail processing. A proof-of-concept exists and the vulnerability is automatable post-authentication, though no CISA KEV confirmation is evident. The impact is availability degradation affecting CMS operations for all users.

PHP Denial Of Service
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30463 HIGH This Week

SQL injection in Daylight Studio FuelCMS v1.5.2 Login.php component allows remote attackers to execute arbitrary SQL queries against the application database. The vulnerability affects the authentication mechanism, potentially enabling account enumeration, credential bypass, or unauthorized data extraction. No public exploit code or active exploitation has been confirmed at this time, though the specific attack vector suggests direct manipulation of login form parameters.

PHP SQLi N A
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-30457 CRITICAL Act Now

Remote code execution in Daylight Studio FuelCMS v1.5.2 through the /parser/dwoo component enables unauthenticated attackers to execute arbitrary PHP code via specially crafted input. The vulnerability exploits insufficient input validation in the Dwoo template engine integration, allowing direct PHP code injection. Attack complexity appears low given the public references to exploitation techniques in the provided pentest-tools PDF, though no formal CVSS scoring or CISA KEV confirmation is available to assess real-world exploitation prevalence.

PHP RCE Code Injection N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-33931 MEDIUM This Month

OpenEMR portal payment pages prior to version 8.0.0.3 expose other patients' protected health information (PHI) and payment card metadata through an Insecure Direct Object Reference vulnerability. Authenticated portal patients can manipulate the `recid` query parameter in `portal/portal_payment.php` to access arbitrary patient payment records and billing data without authorization. The vulnerability affects all versions before 8.0.0.3 and carries a CVSS score of 6.5 (high confidentiality impact); however, the 0.03% EPSS score indicates low real-world exploitation probability, and no public exploit code or active exploitation has been identified.

Openemr PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4826 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the sid parameter in /update_stock.php via HTTP GET requests, enabling unauthorized database query execution with limited confidentiality and integrity impact. Publicly available exploit code exists, and the vulnerability carries a moderate CVSS 5.3 score with low real-world exploitation probability (EPSS 0.03%, percentile 8%), indicating this is a lower-priority issue despite public disclosure.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-33918 HIGH This Week

Improper access control in OpenEMR versions prior to 8.0.0.3 allows any authenticated user to download and permanently delete electronic claim batch files containing protected health information (PHI) via the billing file-download endpoint, regardless of whether they have billing privileges. The vulnerability has a 7.6 CVSS score with low attack complexity and requires only low-level authentication. EPSS exploitation probability is 0.03% (8th percentile), indicating low observed targeting in real-world exploitation at time of analysis, and no public exploit has been identified.

Openemr PHP Privilege Escalation Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-33917 HIGH This Week

SQL injection in OpenEMR versions prior to 8.0.0.3 enables authenticated attackers to execute arbitrary SQL commands through the CAMOS form's ajax_save functionality, potentially leading to complete database compromise including extraction of sensitive health records, data modification, and service disruption. The vulnerability requires low-privilege authentication (PR:L) with no user interaction (UI:N) and is network-exploitable (AV:N), though EPSS assigns only 0.03% (8th percentile) exploitation probability and no public exploit identified at time of analysis. Vendor-released patch available in version 8.0.0.3.

Openemr SQLi PHP
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4758 HIGH This Week

Authenticated attackers with Subscriber-level access can delete arbitrary files on WordPress servers running WP Job Portal plugin versions up to 2.4.9, enabling remote code execution by removing critical files like wp-config.php. The vulnerability stems from insufficient file path validation in the removeFileCustom function. EPSS exploitation probability is 0.25% (48th percentile), indicating low predicted real-world exploitation likelihood, though the CVSS score of 8.8 reflects high potential impact when successfully exploited. No public exploit identified at time of analysis.

WordPress PHP RCE Path Traversal
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-4825 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in /update_sales.php allows authenticated remote attackers to execute arbitrary SQL queries and potentially access or modify database contents. Public exploit code exists for this vulnerability and exploitation requires valid user credentials. No patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-32120 MEDIUM This Month

An Insecure Direct Object Reference (IDOR) vulnerability exists in OpenEMR versions prior to 8.0.0.3 within the fee sheet product save logic that allows authenticated users with fee sheet ACL permissions to arbitrarily read, modify, or delete drug_sales records belonging to any patient by manipulating the hidden prod[][sale_id] form field. The vulnerability stems from insufficient authorization checks in the FeeSheet.class.php library, where user-supplied sale_id values are used directly in SQL queries without verifying ownership of the record to the current patient and encounter. With a CVSS score of 6.5 and confirmed patch availability in version 8.0.0.3, this represents a moderate-severity data integrity and confidentiality risk affecting healthcare data.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-29187 HIGH This Week

A Blind SQL Injection vulnerability exists in OpenEMR's Patient Search functionality that allows authenticated attackers to execute arbitrary SQL commands by manipulating HTTP parameter keys instead of values. OpenEMR versions prior to 8.0.0.3 are affected. With a CVSS score of 8.1 (High), this vulnerability enables high confidentiality and integrity impact, allowing attackers to extract sensitive patient health records and potentially modify database contents, though exploitation requires low-privileged authentication.

PHP SQLi
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33686 PHP HIGH PATCH This Week

Authenticated attackers can bypass file path restrictions in PHP's code16/sharp package by injecting path separators into file extensions, enabling arbitrary file writes outside intended directories. The vulnerability stems from incomplete input sanitization in the FileUtil class where extensions are extracted but never validated before being passed to storage functions. A patch is available to address this high-severity path traversal issue affecting all users of the vulnerable package.

Path Traversal PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Restaurant Cafeteria WordPress theme through version 0.4.6 allows authenticated subscribers to execute arbitrary PHP code and modify site configuration through unprotected admin-ajax actions lacking nonce and capability checks. An attacker with subscriber-level access can install malicious plugins from attacker-controlled URLs or import demo content that overwrites critical site settings, pages, menus, and theme configuration. Publicly available exploit code exists for this vulnerability.

WordPress PHP RCE +1
NVD WPScan VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection in WeGIA charitable institution management software allows authenticated remote attackers to execute arbitrary database queries with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe use of extract($_REQUEST) combined with unsanitized SQL concatenation in the tag deletion module (deletar_tag.php), affecting all versions prior to 3.6.7. No public exploit identified at time of analysis, with EPSS probability data not available for this recent CVE.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

Stored cross-site scripting (XSS) in SourceCodester Online Quiz System up to version 1.0 allows authenticated remote attackers to inject malicious scripts via the quiz_question parameter in endpoint/add-question.php, affecting users who view the injected quiz content. The vulnerability has CVSS 5.1 (low-to-moderate severity), requires user interaction to trigger, and public exploit code is available. An attacker with quiz management privileges can compromise quiz participants through JavaScript execution in their browsers.

PHP XSS
NVD GitHub VulDB
EPSS 1% CVSS 8.9
HIGH PATCH This Week

Remote code execution with root privileges in Pi-hole Admin Interface versions prior to 6.0 allows unauthenticated attackers to execute arbitrary system commands. The vulnerability stems from unsanitized user input in the 'webtheme' parameter being concatenated directly into sudo-privileged exec() calls in savesettings.php. With CVSS 8.9 (Critical), network-accessible attack vector, and low complexity, this represents a severe compromise risk for Pi-hole deployments exposed to untrusted networks. Proof-of-concept code exists (CVSS E:P metric indicates exploitation proof available).

PHP Command Injection
NVD GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Online Reviewer System up to version 1.0 allows authenticated users with high privileges to inject malicious scripts via the Description parameter in /system/system/students/assessments/databank/btn_functions.php, which are then executed in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and has publicly available exploit code, but poses minimal real-world risk given the high privilege requirement (PR:H) and low impact severity (CVSS 2.4).

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Social Networking Site 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in delete_photos.php, potentially enabling unauthorized data access, modification, or deletion. The vulnerability affects an unknown function in the Endpoint component and has publicly available exploit code, increasing the likelihood of active abuse despite the moderate CVSS 5.3 score.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Social Networking Site 1.0 allows authenticated remote attackers to inject malicious scripts via the content parameter in the Alert Handler component (/home.php), requiring user interaction to trigger. The vulnerability carries a CVSS score of 5.1 (medium) with publicly available exploit code, though no confirmed active exploitation in the wild has been reported. Affected users can have their sessions hijacked or credentials stolen if they interact with malicious alerts crafted by authenticated attackers.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Reflected cross-site scripting (XSS) in WWBN AVideo versions up to 26.0 enables credential theft through unsanitized request parameter echoed into JavaScript context. Attackers can craft malicious URLs that, when clicked by authenticated users, execute arbitrary JavaScript and exfiltrate the victim's username and password hash directly exposed in the vulnerable code block. CVSS score of 8.2 reflects high confidentiality impact; no public exploit identified at time of analysis.

XSS PHP
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

WWBN AVideo up to version 26.0 allows authenticated attackers to conduct concurrent balance transfers that exploit a Time-of-Check-Time-of-Use (TOCTOU) race condition in the wallet module, enabling arbitrary financial value multiplication without database transaction protection. An attacker with multiple authenticated sessions can trigger parallel transfer requests that each read the same wallet balance, all pass the sufficiency check independently, but result in only a single deduction while the recipient receives multiple credits. The vulnerability requires local authentication and moderate attacker effort (AC:H) but carries high integrity impact; no public exploit code or active exploitation has been identified at the time of analysis.

PHP Race Condition Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

WWBN AVideo versions up to 26.0 expose all non-private video categories to unauthenticated remote attackers due to missing access control enforcement in the categories.json.php endpoint. The vulnerability combines two distinct flaws: complete bypass of group-based filtering when no user parameter is supplied, and a type confusion bug that substitutes the admin user's group memberships when a user parameter is present, allowing unauthorized disclosure of category metadata intended for restricted user groups. CVSS 5.3 reflects the information disclosure impact with no authentication required and low attack complexity; no public exploit code or active exploitation has been confirmed at time of analysis.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Reflected cross-site scripting (XSS) in SourceCodester Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'limit' parameter in the view_purchase.php file. The vulnerability affects unauthenticated users who click a malicious link, enabling session hijacking, credential theft, or malware distribution. Publicly available exploit code exists, elevating practical exploitation risk despite the absence of CVSS scoring data.

PHP XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Reflected XSS in SourceCodester Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript via the unvalidated 'limit' parameter in view_product.php. The vulnerability affects the web application without authentication requirements, and publicly available exploit code has been disclosed. While CVSS scoring data is unavailable, the combination of reflected XSS execution context, public POC availability, and lack of input sanitization indicates meaningful risk to deployments of this legacy system.

PHP XSS
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Dolibarr Core versions up to 22.0.4 allow authenticated users with minimal privileges to read arbitrary non-PHP files from the server via a Local File Inclusion vulnerability in /core/ajax/selectobject.php. The flaw stems from dynamic file inclusion occurring before authorization checks and a fail-open logic in the access control function, enabling exfiltration of sensitive configuration files, environment variables, and logs. Publicly available exploit code exists, and a vendor patch has been released.

PHP LFI Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Prototype pollution in locutus npm package version 2.0.39 through 3.0.24 allows remote attackers to bypass `Object.prototype` pollution guards via a crafted query string passed to the `parse_str` function, enabling authentication bypass, denial of service, or remote code execution in chained attack scenarios where `RegExp.prototype.test` has been previously compromised. Publicly available exploit code exists demonstrating the vulnerability; vendor-released patch available in version 3.0.25.

PHP Denial Of Service Node.js +4
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Prototype pollution in the locutus npm package's unserialize() function allows remote attackers to inject arbitrary properties into deserialized objects by crafting malicious PHP-serialized payloads containing __proto__ keys, enabling authorization bypass, property propagation attacks, and denial of service via method override. The vulnerability affects locutus versions prior to 3.0.25; publicly available exploit code exists demonstrating property injection, for-in propagation to real own properties, and built-in method disruption.

PHP Node.js Prototype Pollution +3
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site request forgery (CSRF) in SourceCodester Diary App 1.0 allows unauthenticated remote attackers to manipulate an unknown function within diary.php, potentially leading to unauthorized state-changing actions. The vulnerability has a moderate CVSS score of 5.3 with user interaction required, and publicly available exploit code exists, though active exploitation status is unconfirmed. An attacker could craft malicious web pages to trick users into performing unwanted actions within the application.

CSRF PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Free Hotel Reservation System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/mod_room/index.php?view=edit, leading to unauthorized database query execution. The vulnerability requires valid admin credentials (CVSS PR:L) but has publicly available exploit code and represents a moderate information disclosure and integrity risk (CVSS 5.3 with limited confidentiality, integrity, and availability impact). Active exploitation status is not confirmed via CISA KEV, but proof-of-concept code is documented in public repositories.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

WebSocket token validation bypass in WWBN AVideo versions up to 26.0 allows authenticated attackers to retain permanent real-time access to sensitive connection metadata after account revocation. The verifyTokenSocket() function fails to enforce token expiration despite generating 12-hour timeouts, enabling captured tokens to grant indefinite access to admin-level data including IP addresses, browser fingerprints, and user page locations. Authenticated users (PR:L per CVSS vector) can exploit this to maintain surveillance capabilities even after account deletion or privilege demotion. No public exploit identified at time of analysis.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

WWBN AVideo versions up to 26.0 allow authenticated users to arbitrarily overwrite poster images for any scheduled live stream due to missing authorization checks in the uploadPoster.php endpoint, combined with subsequent broadcast of sensitive broadcast keys and user IDs to all connected WebSocket clients. An authenticated attacker can exploit this vulnerability without user interaction to deface another user's scheduled broadcasts and potentially harvest credential material for further attacks. No public exploit identified at time of analysis, though the vulnerability has been disclosed via GitHub security advisory with a published fix commit available.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Broadcast schedule modification in WWBN AVideo versions up to 26.0 allows authenticated users with streaming permissions to hijack playlists and disrupt streams by creating or modifying schedules targeting any playlist regardless of ownership, with rebroadcasts executing under the victim's identity. The vulnerability affects the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint and stems from insufficient authorization checks. Upstream fix available via commit 1e6dc20172de986f60641eb4fdb4090f079ffdce; no public exploit identified at time of analysis.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to execute arbitrary SQL commands through unsanitized input in the save_customer action's username parameter. The application fails to implement proper input validation or prepared statements, enabling attackers to manipulate database queries directly. Publicly available exploit code exists, and this vulnerability affects the PHP-based web application with no confirmed patch status at time of analysis.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows authenticated attackers to execute arbitrary SQL commands via the username parameter in Actions.php (save_user action), due to improper input sanitization. Publicly available exploit code exists demonstrating this vulnerability. While CVSS and EPSS scores are unavailable, the authenticated requirement and public POC availability indicate moderate real-world risk for deployments with user account access.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Clickedu contains a reflected XSS vulnerability in the /user.php/ endpoint that permits remote attackers to execute arbitrary JavaScript in a victim's browser via malicious URL parameters, enabling session hijacking, credential theft, and unauthorized actions. The vulnerability affects all versions of Sanoma's Clickedu product (per CPE cpe:2.3:a:sanoma:clickedu:*:*:*:*:*:*:*:*) and a vendor patch is available. No CVSS score or active exploitation data was provided; however, the reflected XSS attack vector combined with educational platform context indicates moderate to high real-world risk given typical user trust in institutional URLs.

PHP XSS
NVD
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Exam Form Submission 1.0 allows authenticated remote attackers to inject malicious scripts via the sname parameter in /admin/update_s7.php, potentially compromising administrator sessions and enabling unauthorized actions. Publicly available exploit code exists for this vulnerability, though it requires high-privilege authentication to trigger. The CVSS 2.4 score reflects limited impact (information integrity only) and the requirement for authenticated access and user interaction, but the public availability of working exploit code elevates practical risk.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the userid parameter in /modstaffinfo.php. Publicly available exploit code exists on GitHub, significantly lowering the barrier to exploitation. The CVSS score of 7.3 reflects network accessibility without authentication requirements (PR:N), though impact is rated as Low across confidentiality, integrity, and availability.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenSourcePOS versions prior to 3.4.2 contain an Insecure Direct Object Reference (IDOR) vulnerability allowing authenticated low-privileged users to modify password change settings for arbitrary users, including administrators, by manipulating the employee_id parameter without authorization checks. The vulnerability affects the web-based PHP/CodeIgniter point-of-sale application and enables account takeover of higher-privileged accounts. No public exploit code has been identified at the time of analysis, though the fix involves adding object-level authorization validation to the affected endpoint.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

SourceCodester Pharmacy Product Management System 1.0 fails to enforce inventory constraints in the add-sales.php module, allowing attackers to create sales transactions for quantities that exceed available stock levels. This business logic flaw enables overselling scenarios where the system processes orders without validating stock availability, potentially leading to negative inventory records and operational disruption. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS scoring or active exploitation via CISA KEV has been confirmed.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows authenticated attackers to inject arbitrary SQL commands through the unvalidated 'name' parameter in the save_category action of Actions.php. The vulnerability affects the application's category management functionality and enables data exfiltration, modification, or deletion. Publicly available exploit code exists demonstrating the vulnerability, increasing practical exploitation risk despite authentication requirement.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 8.3
HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to manipulate database queries through the 'id' parameter in admin/manage_category.php, enabling unauthorized data extraction, modification, or deletion. The vulnerability affects the administrative interface and has publicly available exploit code, presenting immediate risk to deployed instances of this e-commerce platform.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the 'id' parameter in admin/manage_product.php, enabling unauthorized database access and data exfiltration. Publicly available exploit code exists for this vulnerability; however, no CVSS score, EPSS data, or CISA KEV confirmation is available to assess active exploitation at scale.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to execute arbitrary SQL queries through the 'id' parameter in admin/view_product.php, enabling unauthorized database access and potential data exfiltration. The vulnerability affects the administrative interface and publicly available exploit code exists, increasing real-world exploitation risk despite the absence of formal CVSS scoring.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

OTCMS versions 7.66 and earlier contain an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /admin/read.php endpoint's AnnounContent parameter, enabling remote attackers to craft arbitrary HTTP requests targeting internal services or external systems without requiring credentials. The vulnerability is documented in public security research; however, no CVSS score, EPSS probability, or confirmed active exploitation status is available from CISA KEV data at this time.

SSRF PHP
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

Inventory depletion in SourceCodester Pharmacy Product Management System 1.0 allows remote attackers to corrupt stock records by submitting negative values through the add-stock.php 'txtqty' parameter, causing the system to decrease inventory instead of increasing it and enabling denial of service via stock exhaustion. Publicly available exploit code exists demonstrating this business logic flaw, and the affected product lacks CVSS severity quantification despite the demonstrated impact on system integrity and availability.

PHP Denial Of Service
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting vulnerability in the view_category.php file where the 'limit' parameter is not sanitized, enabling remote attackers to inject arbitrary JavaScript or HTML through a crafted URL. Publicly available exploit code exists for this vulnerability, affecting the PHP-based Inventory System application. Remote attackers can execute client-side scripts in the context of authenticated user sessions without requiring elevated privileges.

PHP XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting (XSS) vulnerability in the view_sales.php file's 'limit' parameter that allows remote attackers to inject arbitrary JavaScript or HTML through a crafted URL. The vulnerability stems from insufficient input sanitization and publicly available exploit code has been disclosed. Authentication requirements are not confirmed from available CVSS data.

PHP XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting (XSS) vulnerability in the view_stock_availability.php file's 'limit' parameter that permits remote attackers to inject arbitrary HTML and JavaScript through a crafted URL. Publicly available exploit code has been disclosed via GitHub, enabling attackers without authentication to execute malicious scripts in the context of victim browsers. The vulnerability affects an unspecified version range of the Inventory System application with no CVSS scoring or patch availability data currently confirmed.

PHP XSS
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

Pharmacy Product Management System 1.0 fails to validate financial input parameters in the add-stock.php file, permitting attackers to submit negative values for product prices and total costs. This business logic vulnerability corrupts financial records and allows manipulation of inventory asset valuations and procurement cost tracking. Publicly available exploit code exists; however, no CVSS score, EPSS data, or CISA KEV confirmation is available to assess active exploitation frequency.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

The code-projects Online Food Ordering System versions up to 1.0 contain a stored cross-site scripting (XSS) vulnerability in the /dbfood/food.php file via the cuisines parameter, allowing authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers. The vulnerability carries a CVSS score of 2.4 (low severity) but has publicly available exploit code and confirmed documentation on GitHub, limiting its practical impact due to high privilege requirements and user interaction dependency. Remote exploitation is possible, but the attack requires an authenticated user with high-level administrative privileges and victim user interaction, substantially constraining real-world exploitation likelihood.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

The Online Food Ordering System 1.0 by code-projects contains a reflected cross-site scripting (XSS) vulnerability in the Name parameter of /dbfood/contact.php that allows unauthenticated remote attackers to inject malicious scripts. The vulnerability has a publicly available proof-of-concept and affects all versions of the affected product line. While the CVSS score of 4.3 is moderate, the public availability of exploit code and minimal complexity of attack execution elevate practical risk for instances exposed to the internet.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

DNS rebinding bypasses SSRF protection in Lychee photo-management tool versions prior to 7.5.2, allowing authenticated remote attackers to access restricted internal resources by providing domain names instead of IP addresses to the photo URL import feature. The vulnerability exploits a logic flaw in PhotoUrlRule.php where hostname validation only applies to IP addresses, leaving domain-based requests unvalidated. Vendor-released patch available (version 7.5.2); no public exploit identified at time of analysis.

SSRF PHP
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

AVideo, a popular open-source video platform, stores video access passwords in plaintext within the database, enabling attackers who gain read access through SQL injection, backup exposure, or misconfigured controls to harvest all protected video passwords without cracking. The vulnerability is tracked as CWE-312 (Cleartext Storage of Sensitive Information) and affects AVideo installations using the video password protection feature. A proof-of-concept demonstrating direct database extraction is documented in the GitHub advisory. Vendor patch is available via commit f2d68d2adbf73588ea61be2b781d93120a819e36, and no public exploit identified at time of analysis beyond the documented PoC.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in WWBN AVideo category management allows authenticated administrators to extract database contents including user credentials and private video metadata. The vulnerability resides in objects/category.php where user-supplied category title slugs are concatenated directly into SQL queries without parameterization. A working proof-of-concept demonstrates UNION-based injection to retrieve the users table. Upstream fix available via GitHub commit 994cc2b3d802b819e07e6088338e8bf4e484aae4, though no public exploit identified at time of analysis beyond the documented PoC.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in WWBN AVideo objects/like.php allows authenticated users to read and potentially modify the entire database by injecting malicious payloads into the videos_id parameter during like/dislike actions. The vulnerability affects pkg:composer/wwbn_avideo and arises from mixing parameterized queries with direct string concatenation. A proof-of-concept UNION-based injection exists demonstrating credential extraction. Upstream fix available (PR/commit); released patched version not independently confirmed.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

PHP applications using the affected functions fail to re-validate redirect targets during HTTP requests, allowing attackers to bypass SSRF protections by chaining a legitimate public URL with a redirect to internal resources. An attacker can exploit this weakness in endpoints that fetch remote content after initial URL validation, potentially gaining access to private IP ranges and internal services. A patch is available.

SSRF PHP Microsoft
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

The AVideo AI plugin's save.json.php endpoint fails to validate that AI-generated responses belong to the target video before applying them, allowing authenticated users to exfiltrate private video metadata and full transcriptions by referencing arbitrary AI response IDs. An attacker with canUseAI permission can steal AI-generated titles, descriptions, keywords, summaries, and complete transcription files from other users' private videos through a simple parameter manipulation attack, then apply this stolen content to their own video for reading. No public exploit is confirmed actively exploited, but proof-of-concept methodology is detailed in the advisory, making this a practical attack for any platform user with basic video ownership.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

AVideo password verification API endpoint allows unauthenticated attackers to brute-force video access passwords at network speed with no rate limiting, enabling compromise of password-protected video content across the platform. The vulnerable endpoint pkg:composer/wwbn_avideo returns a boolean confirmation for any password guess without authentication, CAPTCHA, or throttling mechanisms, combined with plaintext password storage and loose equality comparison that further weakens defenses. Publicly available exploit code exists demonstrating rapid password enumeration against any video ID.

PHP Information Disclosure Oracle
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated information disclosure in AVideo Scheduler plugin exposes internal infrastructure details, admin-composed email campaigns, and user targeting mappings through three unprotected list.json.php endpoints. Remote attackers without authentication can retrieve all scheduled task callbacks with internal URLs and parameters, complete email message bodies, and user-to-email relationships by issuing simple GET requests. A public proof-of-concept exists demonstrating the vulnerability; patch availability has been confirmed by the vendor.

PHP Information Disclosure SSRF
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

AVideo playlist video enumeration allows unauthenticated attackers to bypass authorization checks and directly access video contents from private playlists including watch_later and favorite lists via the playlistsVideos.json.php endpoint. Sequential playlist IDs enable trivial enumeration of all users' private viewing habits, favorites, and unlisted custom playlists without authentication. A publicly available proof-of-concept exists demonstrating the vulnerability, which affects WWBN AVideo via Composer package wwbn_avideo.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

FileRise versions 2.3.7 through 3.10.0 suffer from improper access control in the file snippet endpoint, allowing authenticated users with read-only access to retrieve file content uploaded by other users in shared folders. An attacker with limited folder permissions can exploit this authorization bypass to view sensitive files beyond their intended access scope. The vulnerability affects FileRise running on PHP and is resolved in version 3.11.0.

PHP File Upload Authentication Bypass
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System version 1.0 allows remote unauthenticated attackers to inject malicious scripts via manipulation of the 'page' parameter in /index.php. The vulnerability has a CVSS v4.0 score of 5.3 with network accessibility and low integrity impact; publicly available exploit code exists, and CISA SSVC assessment confirms the flaw is exploitable and partially automatable, making it suitable for active compromise of application integrity and user sessions.

PHP XSS
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Free Hotel Reservation System 1.0 via the ID parameter in /admin/mod_amenities/index.php?view=editpic allows authenticated remote attackers to manipulate database queries and extract or modify sensitive data. The vulnerability requires valid administrator credentials to exploit (PR:L per CVSS 4.0 vector), affects confidentiality and integrity of database contents, and carries moderate real-world risk despite a CVSS score of 5.3 due to publicly available exploit code and low attack complexity. No vendor-released patch has been identified; the system appears to be unsupported or abandoned based on available advisory data.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

GDTaller allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers through reflected cross-site scripting (XSS) via the 'site' parameter in app_recuperarclave.php. The vulnerability affects all versions of GDTaller (version 0 and beyond) and has been assigned a CVSS 4.0 base score of 5.1 with limited scope impact. A vendor patch is available from INCIBE, and exploitation requires user interaction (UI:A) but presents moderate risk due to the network-accessible attack surface and low technical complexity.

XSS PHP
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

GDTaller is vulnerable to reflected cross-site scripting (XSS) in the app_login.php file, specifically through the 'site' parameter, allowing unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious URLs. The vulnerability affects GDTaller versions prior to an unspecified patch release and carries a CVSS 5.1 score reflecting low immediate confidentiality impact but limited scope and user interaction requirement. A vendor patch is available from INCIBE, though no public exploit code has been identified at time of analysis.

XSS PHP
NVD
EPSS 0% CVSS 2.0
LOW POC Monitor

Free Hotel Reservation System 1.0 permits unrestricted file uploads via the image parameter in the /admin/mod_amenities/index.php?view=add endpoint, allowing remote attackers with high privileges to upload arbitrary files. The vulnerability (CWE-434: Unrestricted Upload of File with Dangerous Type) affects the amenities management module and has publicly available exploit code. With a CVSS v4.0 score of 5.1 and network-accessible attack vector requiring high administrative privileges, this poses a moderate risk primarily to authenticated administrators or systems where authentication has been compromised.

File Upload PHP
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

OpenBiz Cubi Lite 3.0.8 contains a SQL injection vulnerability in the login form that allows unauthenticated attackers to manipulate database queries through the username parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

KomSeo Cart 1.3 contains an SQL injection vulnerability that allows attackers to inject SQL commands through the 'my_item_search' parameter in edit.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote code execution in plank/laravel-mediable PHP package through version 6.4.0 allows unauthenticated attackers to upload executable PHP files disguised with benign MIME types, achieving arbitrary code execution when files land in web-accessible directories. EPSS score of 0.39% (60th percentile) indicates low observed exploitation probability, though SSVC analysis confirms the vulnerability is automatable with total technical impact. No vendor-released patch identified at time of analysis despite coordinated disclosure attempts.

PHP File Upload RCE
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0's /checkregisitem.php parameter handler allows unauthenticated remote attackers to manipulate the Long-arm-shirtVol argument and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available to remediate this issue.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A reflected cross-site scripting (XSS) vulnerability exists in code-projects Simple Laundry System version 1.0 via the firstName parameter in the /modify.php file. An attacker can inject malicious JavaScript that executes in a victim's browser when they visit a crafted link, potentially leading to session hijacking, credential theft, or malware distribution. A public proof-of-concept is available on GitHub, and exploitation requires only user interaction (clicking a malicious link), making this a practical concern despite the moderate CVSS score of 5.3.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

The Shared Files WordPress plugin before version 1.7.58 contains a path traversal vulnerability that allows attackers with Contributor-level privileges or higher to download arbitrary files from the web server, including sensitive configuration files such as wp-config.php. A public proof-of-concept exploit is available, making this vulnerability actively exploitable in the wild. This represents a critical information disclosure risk affecting WordPress installations using affected versions of the plugin.

WordPress PHP Path Traversal
NVD WPScan
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the Admin Login Module of code-projects Online Food Ordering System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter in /admin.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations should implement network-level controls or upgrade to a patched version once available.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the deptid parameter in the grades index page. Public exploit code is available for this vulnerability, and no patch is currently available. The attack requires only network access with no additional complexity or user interaction.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Food Ordering System 1.0's Shopping Cart Module (cart.php) allows unauthenticated remote attackers to manipulate the del parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected PHP-based installations are at immediate risk of database compromise and data exfiltration.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Food Ordering System 1.0 via the custom parameter in /purchase.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects PHP-based installations of this food ordering platform.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Malawi Online Market 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /display.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability remains unpatched and affects PHP-based deployments of this application.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

The ShortPixel Image Optimizer WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 6.4.3, affecting the getEditorPopup() function and media-popup.php template. Authenticated attackers with Author-level permissions can inject arbitrary JavaScript into attachment post titles via the REST API, which executes when administrators open the ShortPixel AI editor popup for the poisoned attachment. This vulnerability has a CVSS score of 5.4 (moderate severity) and requires user interaction from a higher-privileged administrator to trigger, limiting its immediate exploitation scope but still presenting a meaningful privilege escalation risk in multi-author WordPress environments.

WordPress PHP XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The Frontend Admin by DynamiApps plugin for WordPress contains a PHP Object Injection vulnerability affecting all versions up to and including 3.28.31. Authenticated attackers with Editor-level privileges or higher can exploit unsafe deserialization of the 'post_content' field in admin_form posts to inject malicious PHP objects and achieve remote code execution through available POP chains. This represents a critical risk for WordPress sites using this plugin with elevated user accounts.

WordPress PHP RCE +1
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Accounting System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the cos_id parameter in /my_account/delete.php. Public exploit code exists for this vulnerability, enabling potential unauthorized database access and manipulation. No patch is currently available.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in code-projects Accounting System 1.0 within the customer management interface (/my_account/add_costumer.php), where the costumer_name parameter fails to properly sanitize user input. Attackers with low privileges and user interaction can inject malicious JavaScript that will execute in the browsers of other users viewing the affected page, potentially leading to session hijacking, credential theft, or unauthorized actions within the accounting system. A public proof-of-concept exploit is available, significantly increasing the likelihood of real-world exploitation.

XSS PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

Improper authentication in the password-protected share handler of Kalcaddle Kodbox 1.64 allows remote attackers to bypass access controls through manipulation of the authentication function, despite high attack complexity. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.

Authentication Bypass PHP
NVD VulDB
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Saloon PHP library versions prior to 4.0.0 contain a PHP object injection vulnerability in the AccessTokenAuthenticator::unserialize() method, which unsafely deserializes OAuth token state using unserialize() with allowed_classes set to true. An attacker who can control the serialized token string-such as by overwriting a cached token file or injecting malicious data-can supply a crafted serialized gadget object that executes arbitrary code through PHP magic methods during deserialization. In environments with common dependencies like Monolog present, this vulnerability can be reliably chained to achieve remote code execution (RCE), making it a critical threat to any API integration or SDK built on vulnerable Saloon versions.

PHP RCE Deserialization
NVD GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

An unrestricted file upload vulnerability exists in Kalcaddle Kodbox 1.64 within the Public Share Handler component's userShare.class.php file. This allows unauthenticated remote attackers to upload arbitrary files by manipulating the Add function, potentially leading to remote code execution and system compromise. A publicly available proof-of-concept exists, and the vendor has not responded to early disclosure attempts, increasing the likelihood of active exploitation.

File Upload PHP
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

OpenEMR contains an Insecure Direct Object Reference (IDOR) vulnerability in the patient notes functionality where authenticated users can modify or delete notes belonging to any patient without proper authorization checks. This affects OpenEMR versions prior to 8.0.0.3 and allows attackers with low-level privileges to access, modify, or delete sensitive medical records they should not have access to. The vulnerability has a CVSS score of 8.1 with high confidentiality and integrity impact, though there is no current evidence of active exploitation in the wild or public proof-of-concept code.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

OpenEMR versions prior to 8.0.0.3 contain a missing authorization vulnerability in the AJAX deletion endpoint that allows any authenticated user, regardless of assigned role or privileges, to irreversibly delete critical medical data including procedure orders, answers, and specimens for any patient in the system. This is a severe integrity violation in a healthcare application handling protected health information. No evidence of active exploitation (not in CISA KEV) is currently available, though patches have been released.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

OpenEMR contains a missing authorization check in the signature retrieval endpoint (portal/sign/lib/show-signature.php) that allows any authenticated patient portal user to access the drawn signature images of arbitrary staff members by manipulating the POST parameter. Versions prior to 8.0.0.3 are affected, and while the companion write endpoint was previously hardened against this issue, the read endpoint was left vulnerable. This is a low-severity information disclosure vulnerability (CVSS 4.3) with limited real-world exploitability due to the requirement for prior authentication and the relatively low sensitivity of signature images compared to full medical records.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Kirby CMS versions through 5.1.4 allow authenticated editors to trigger a persistent denial of service by uploading malformed images that bypass getimagesize() validation, causing fatal TypeErrors during metadata or thumbnail processing. A proof-of-concept exists and the vulnerability is automatable post-authentication, though no CISA KEV confirmation is evident. The impact is availability degradation affecting CMS operations for all users.

PHP Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH This Week

SQL injection in Daylight Studio FuelCMS v1.5.2 Login.php component allows remote attackers to execute arbitrary SQL queries against the application database. The vulnerability affects the authentication mechanism, potentially enabling account enumeration, credential bypass, or unauthorized data extraction. No public exploit code or active exploitation has been confirmed at this time, though the specific attack vector suggests direct manipulation of login form parameters.

PHP SQLi N A
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Daylight Studio FuelCMS v1.5.2 through the /parser/dwoo component enables unauthenticated attackers to execute arbitrary PHP code via specially crafted input. The vulnerability exploits insufficient input validation in the Dwoo template engine integration, allowing direct PHP code injection. Attack complexity appears low given the public references to exploitation techniques in the provided pentest-tools PDF, though no formal CVSS scoring or CISA KEV confirmation is available to assess real-world exploitation prevalence.

PHP RCE Code Injection +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

OpenEMR portal payment pages prior to version 8.0.0.3 expose other patients' protected health information (PHI) and payment card metadata through an Insecure Direct Object Reference vulnerability. Authenticated portal patients can manipulate the `recid` query parameter in `portal/portal_payment.php` to access arbitrary patient payment records and billing data without authorization. The vulnerability affects all versions before 8.0.0.3 and carries a CVSS score of 6.5 (high confidentiality impact); however, the 0.03% EPSS score indicates low real-world exploitation probability, and no public exploit code or active exploitation has been identified.

Openemr PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the sid parameter in /update_stock.php via HTTP GET requests, enabling unauthorized database query execution with limited confidentiality and integrity impact. Publicly available exploit code exists, and the vulnerability carries a moderate CVSS 5.3 score with low real-world exploitation probability (EPSS 0.03%, percentile 8%), indicating this is a lower-priority issue despite public disclosure.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 7.6
HIGH This Week

Improper access control in OpenEMR versions prior to 8.0.0.3 allows any authenticated user to download and permanently delete electronic claim batch files containing protected health information (PHI) via the billing file-download endpoint, regardless of whether they have billing privileges. The vulnerability has a 7.6 CVSS score with low attack complexity and requires only low-level authentication. EPSS exploitation probability is 0.03% (8th percentile), indicating low observed targeting in real-world exploitation at time of analysis, and no public exploit has been identified.

Openemr PHP Privilege Escalation +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

SQL injection in OpenEMR versions prior to 8.0.0.3 enables authenticated attackers to execute arbitrary SQL commands through the CAMOS form's ajax_save functionality, potentially leading to complete database compromise including extraction of sensitive health records, data modification, and service disruption. The vulnerability requires low-privilege authentication (PR:L) with no user interaction (UI:N) and is network-exploitable (AV:N), though EPSS assigns only 0.03% (8th percentile) exploitation probability and no public exploit identified at time of analysis. Vendor-released patch available in version 8.0.0.3.

Openemr SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated attackers with Subscriber-level access can delete arbitrary files on WordPress servers running WP Job Portal plugin versions up to 2.4.9, enabling remote code execution by removing critical files like wp-config.php. The vulnerability stems from insufficient file path validation in the removeFileCustom function. EPSS exploitation probability is 0.25% (48th percentile), indicating low predicted real-world exploitation likelihood, though the CVSS score of 8.8 reflects high potential impact when successfully exploited. No public exploit identified at time of analysis.

WordPress PHP RCE +1
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in /update_sales.php allows authenticated remote attackers to execute arbitrary SQL queries and potentially access or modify database contents. Public exploit code exists for this vulnerability and exploitation requires valid user credentials. No patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

An Insecure Direct Object Reference (IDOR) vulnerability exists in OpenEMR versions prior to 8.0.0.3 within the fee sheet product save logic that allows authenticated users with fee sheet ACL permissions to arbitrarily read, modify, or delete drug_sales records belonging to any patient by manipulating the hidden prod[][sale_id] form field. The vulnerability stems from insufficient authorization checks in the FeeSheet.class.php library, where user-supplied sale_id values are used directly in SQL queries without verifying ownership of the record to the current patient and encounter. With a CVSS score of 6.5 and confirmed patch availability in version 8.0.0.3, this represents a moderate-severity data integrity and confidentiality risk affecting healthcare data.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

A Blind SQL Injection vulnerability exists in OpenEMR's Patient Search functionality that allows authenticated attackers to execute arbitrary SQL commands by manipulating HTTP parameter keys instead of values. OpenEMR versions prior to 8.0.0.3 are affected. With a CVSS score of 8.1 (High), this vulnerability enables high confidentiality and integrity impact, allowing attackers to extract sensitive patient health records and potentially modify database contents, though exploitation requires low-privileged authentication.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authenticated attackers can bypass file path restrictions in PHP's code16/sharp package by injecting path separators into file extensions, enabling arbitrary file writes outside intended directories. The vulnerability stems from incomplete input sanitization in the FileUtil class where extensions are extracted but never validated before being passed to storage functions. A patch is available to address this high-severity path traversal issue affecting all users of the vulnerable package.

Path Traversal PHP
NVD GitHub
Prev Page 25 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy